1. Field of the Invention
The present invention relates to a communication network for which security measures are taken to prevent fraudulent acts, and an automatic security setting method.
2. Description of the Related Art
JP-4-274636-A describes an example of a communication network system for which security measures are taken to prevent fraudulent acts. This prior art system comprises, between a network line controller connected to a transmission path and a computer, a destination identification unit for determining whether or not encryption is required on a destination-by-destination basis with reference to an encryption specifying table; a data encryption unit for reading an encryption method from an external storage device to encrypt transmission data; an encrypted data decryption unit for reading a decryption method from the external storage device to decrypt encrypted data; a source identification unit for identifying the source of received data, and determining whether or not decryption is required with reference to the encryption specifying table; and an encryption method control unit for registering and modifying encryption methods. With the foregoing configuration, the communication network system can encrypt data transferred between arbitrarily specified computers, and can also readily modify the encryption method used therefor.
JP-2000-31957-A describes another example of a communication network system for which security measures are taken to prevent fraudulent acts. In this prior art system, for communicating an electronic mail between a pair of nodes through a transmission server and a reception server, the transmission server has encryption means for encrypting electronic mail data transmitted from a transmission node in accordance with a predetermined encryption scheme and transmitting the encrypted electronic mail data, while the reception server has decryption means for decrypting the received encrypted data and transferring the decrypted data to a reception node. This prior art system can individually set a predetermined encryption scheme for each of node pairs, and can arbitrarily change the settings.
Another example of a communication network system for which security measures are taken to prevent fraudulent acts is a network system conforming to an IPv6 protocol. In IPv6, security functions such as encryption, authentication, and the like are incorporated in the protocol itself to enhance the security capability which termed been a weak point of IPv4. The security functions used in IPv6 are called IP Security (Internet Security) which includes ESP (Encapsulated Security Payload) based encryption, AH (Authentication Header) based authentication, and the like. These ESP-based encryption and AH-based authentication can be selected by a user from those provided by installation. Encryption algorithms available in ESP include DES, 3DES, AES, RC5, IDEA, and the like. When encryption is not utilized in ESP, a NULL encryption algorithm is selected. In both AH and ESP, MD5 and SHA1 are available for the authentication algorithm, and can be selected by the user for use. For changing a utilized encryption algorithm and/or authentication algorithm, the setting must be manually changed.
Since the security functions such as encryption and authentication are techniques for preventing fraudulent acts by third parties such as tapping, tampering and the like, the security functions are not required for communications which utilize only reliable networks (for example, an intra-network, and the like) inherently free from the possibility of such fraudulent acts, so that the security functions, if utilized in such a secure environment, will adversely affect the communications to cause a lower communication efficiency and the like. On the other hand, the security functions are indispensable for communications through open networks such as the Internet which can be freely accessed by anyone. While conventional communication network systems can control whether or not encryption and/or authentication are required for each destination, they cannot control whether or not encryption and/or authentication are required in accordance with a sub-network to which even the same communication party is connected. Therefore, in a communication network system conforming to the IPv6 protocol which handles mobile nodes (mobile terminals) such as portable information terminals which is frequently roaming to cause a change in connection from one sub-network to another, there exists a need for techniques for automatically setting an appropriate security method in accordance with a sub-network to which a mobile node is connected.